Demo Virus For Mac OS X Released

Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."

Viruses, worms, malware, and OS X

[linguae]

Anybody can create a virus for OS X, and it can run perfectly. The biggest problem would be how it can be able to spread to other machines.

On Windows, it isn't viruses that plague Windows, but it is worms, spyware, and adware that affects that platform. All it takes to be infected with a computer virus on any platform is to not be vigilant about the data that you download. Being infected by spyware and adware, however, relies on the security of the browser, and being infected with a worm relies on the security of the operating system's Internet connectivity.

OS X remains relatively secure because its browser does not have hooks to the shell (unlike older versions of Internet Explorer, although I've read that Internet Explorer 7 has been decoupled from the shell), and because its Unix core isn't susceptible to worms (Unix has come a long way since the worm of 1988). OS X also has a firewall, although I just learned that it isn't enabled by default (but turning it on is easy; they should change the default in OS X 10.5).

A demo virus for OS X or Linux isn't news. No operating system can block the execution of a virus unless the operating system has a list of trusted applications that it knows are virus-free. An operating system can prevent worms with better security, and spyware can be prevented by using a secure browser, but viruses cannot be blocked from execution.

Re:This is on the front page of slashdot why?

[daveschroeder]

1. Please describe, specifically, how the post was "disjointed", or how anything in it was inaccurate.

2. "Page count increasing"? Huh? Nothing in that post links to any site that has anything to do with me.

Re:Updated Score

[ryanr]

The Linux in-the-wild score is incorrect.

I've personally analyzed at least three Linux viruses that were found in the wild. And that's not counting the worms.

Re:This is on the front page of slashdot why?

[Anonymous Coward]

Attaching/appending itself to other files is a method of self propogation. If you're talking autonomous propogation that's not a virus, it's a worm. And cat doesn't prepend/append itself to everything in the directory when you run it. A virus should also perform some function the user does not intend or know about.

Re:This is on the front page of slashdot why?

[HTTP Error 403 403.9]

Or to post something almost 1,000 words long 1 minute after the story was put on the front page?

Subscribers get to see the article 10-20 before it goes "live".

Re:This is on the front page of slashdot why?

[mstone]

Both viruses and worms require automatic propagation. The distinction lies in what code performs the propagation.

Viruses take advantage of weak spots in other executable code. Macro viruses exploit a word processor's macro system. Boot sector viruses exploit the computer's boot loader. In every case, though, the virus takes advantage of some piece of already-existing piece of software that executes code automatically, usually without direct control or knowledge from the user.

A worm OTOH, is its own executable. It's essentially a self-replicating daemon. It does exploit weaknesses in a system's remote-execution code to propagate, but it doesn't require an interpreter. All it has to do is write its executable text to a block of memory, then trigger a fault which causes that block of memory to be treated as an executable.

Automatic propagation is the hallmark of a worm or virus, though. If Macarena can propagate every time someone opens an infected file, it's a virus. If you have to run a specific infection program to attach the payload to other files, it's not a virus, it's just a program that appends unwanted crap to other files.

Re:Technologically Sophisticated

[AKAImBatman]

Bullshit.

Bullshit on your bullshit, my good bullshitting sir. You underestimate the amount of bullshit that the Mac will put you through in order to run a bullshit application attachment.

All you need to do is convince the user to save an archive attachment. extract it and run the contents.

You missed a few steps. In order to simply run the attachment, you need to:

1. Save the archive attachment.
2. Ignore the warning about an "unsafe application" given by Safari or Mail.app.
3. Mount the DMG file or unzip the ZIP file.
4. Still not realize that the dearchived file is not a document despite looking exactly like an application.
5. Run the application.

Okay, so now the user has infected their system. Sort of. Their documents may be infected, but those are useless to the virus. They can't be executed, and the user isn't likely to pack up his .APP folders and share them with all his friends. Effectively, the virus has stopped spreading. So what is a virus to do? Under a Windows system, it would get ahold of the Outlook address book and mail itself to everyone. Alternatively, it would want to stay resident after reboots and/or collect information about the user's activities. Under a Mac, these things need elevated privileges to do. So the virus would have to:

6. Invoke the SUDO app to request elevated privledges.
7. User would need to fill their password into the prompt.
8. Virus would infect the necessary files to do its dirty work of spreading.

At this point, however, the user is so stupid he belongs in a mental facility. He's already ignored half a dozen explicit and implied warnings that something is wrong, just to ensure that this virus can take over his system! That's one determined user!

Some people may believe that Mac users are really that dumb, but if that were the case then viruses would already run rampant. Instead, we get an impotent "proof of concept" that can't actually spread itself. All it can do is damage your files. For a proof of concept, that's pretty pathetic.

From there the worm can easily spread on OSX, and no, root would not be required to do so.

As I've mentioned twice now, that's blatently incorrect. It can "infect" your documents, but system files require elevated privileges. "Infecting" your documents does nothing more than damage your files, and the virus can't even stay resident (or stop the user from killing it on the Dock!) without a password. So it's effective impotent and contained unless it can trick the user into giving it his/her password.